Brussels launched an age checking app. Hackers say it takes 2 minutes to break it.
Posted by BendicantMias@reddit | anime_titties | View on Reddit | 50 comments
The European Union’s unveiling of a mobile app to check people’s age online has quickly turned sour, as cybersecurity experts found glaring privacy and security problems with the code.
Within hours of the EU’s app release, security consultant Paul Moore found it would store sensitive data on a user’s phone and leave it unprotected, he wrote in a widely shared post on X. Moore claimed to have hacked the app in under 2 minutes.
Baptiste Robert, a prominent French white hat hacker, confirmed many of the issues and told POLITICO it was possible to bypass the app’s biometric authentication features, meaning someone would be able to forgo entering a PIN code or using Touch ID to access the app.
For more details -
According to Moore, the app stores an encrypted PIN locally, but crucially, the encryption is not tied to the user’s identity vault, where sensitive verification data is kept.
That opens the door to a surprisingly simple bypass. By deleting specific values tied to the PIN from the app’s configuration files and restarting it, an attacker can set a new PIN while still retaining access to credentials created under the previous profile.
In effect, the app accepts reused identity data under a newly defined access control.
Moore also pointed to additional weaknesses that make brute-force or bypass attempts even easier.
Rate limiting, typically used to prevent repeated guessing of PINs, is stored as a simple counter in the same editable configuration file. Reset it to zero, and the system forgets how many attempts have already been made.
Biometric authentication, meanwhile, is controlled by a single boolean flag. Flip it from “true” to “false,” and the app simply skips biometric checks altogether.
The backlash quickly drew in high-profile voices, including Pavel Durov, co-founder and CEO of Telegram, who framed the incident as more than just a technical misstep.
In a post on his Telegram channel, Durov argued the app’s weaknesses may not be accidental.
“Their age verification app was hackable by design — it trusted the device,” he wrote, calling that “instant game over” from a security standpoint.
He went further, outlining what he suggested could be a broader trajectory for the project: first introducing a system marketed as privacy-friendly, then tightening controls after inevitable breaches.
“Present a ‘privacy-respecting’ but hackable app… get hacked… remove privacy to ‘fix’ the app,” he opined, describing the end result as “a surveillance tool sold as privacy-respecting.”
https://cybernews.com/security/eu-age-verification-app-hack/
Original Tweet - https://x.com/Paul_Reviews/status/2044723123287666921
VicenteOlisipo@reddit
This is true, but it's also a "hack" that only acomplishes using the app for a second time after resetting it without putting in your data a second time, in a jailbroken phone. It doesn't let you extract any personal data from anyone. And 99% of potential won't be able to perform this "hack" to access adult stuff, which (imo unfortunately) seems to be the goal.
Feeling_Kick5545@reddit
Doesn’t matter if the phone is jailbroken or has root access. I would like to use my phone and if the developers assume I don’t then it’s their problem. Somehow, the PC firmware seems much more sophisticated and is purely server-based (banking websites etc.) while on mobile they assume from the start I would like my experience to be resricted.
hiddentalent@reddit
No, "Brussels" didn't "launch" an age verification app. It published to GitHub, an open-source development platform, a prototype of the UI for such an app with clear documentation stating that it had not yet gone through security review and was not suitable for public use. That's not a "launch," that's a demo.
I think requiring age verification is a bad idea that puts people at risk because whatever databases are holding all that personal info are going to be very attractive targets. But need to have a serious public policy debate about that balance, and this kind of strident exaggeration helps allow people to discount serious concerns.
LitwinL@reddit
Those databases already exist as nations have to keep the data of their citizens somewhere.
SpontaneousFlame@reddit
There’s no current government database of all your browsing history for non-government web sites. They normally have to get a warrant for that. This gives them all that data.
LitwinL@reddit
It does not. If anything it works more like 2FA and you're not giving all your browsing history to 2FA providers.
SpontaneousFlame@reddit
You are giving all 2FA providers the names of all the web sites which you use 2FA on.
LitwinL@reddit
Which is different from browsing history. You can use Reddit for porn or educational purposes, but the 2FA provider will not know that.
SpontaneousFlame@reddit
But other sites they will, because most sites are single use.
LitwinL@reddit
That's only if that data gets stored
SpontaneousFlame@reddit
Why wouldn’t they?
LitwinL@reddit
Because there's no need for it, and we live in democracies.
SpontaneousFlame@reddit
Heh. You are well behind the times. Most governments and security agencies think their populations are the enemy. Look at the five eyes domestic surveillance BS and tell me it’s normal to ship every phone call made in a country to another country.
LitwinL@reddit
Not the population. Just bots/foreign agents pretending to be the nationals
SpontaneousFlame@reddit
No, that’s a lie. Everyone inside is deemed the enemy.
LitwinL@reddit
Riiiiight.
kapuh@reddit
The discussion around this tweet is very fascinating to watch.
On one hand we have people who are happy the EU does that in Open Source so things like that can be spotted on the other hand there is the "EU evil"-conspiracy from the usual suspects.
The real danger here is that the outrage cycle pushes the EU to ditch open-source for a "trusted" commercial vendor. With a private contractor, we lose the ability to audit the code entirely. We’d be trading transparency for a "trust us" sticker, while a private entity quietly monetizes the metadata behind a black box.
hiddentalent@reddit
This whole news cycle is because they posted the prototype on GitHub, which is an open-source development platform that absolutely gives you and everybody else the ability to audit the code entirely. That's exactly why this security researcher gets to make his exaggerated claims. There's no "trust us" and no "monetization of data". That's the whole point and the whole reason anyone is having this discussion.
But some people are so poisoned by Internet cynicism they see mustache-twirling robber barons behind every blade of grass.
Tall_Candidate_8088@reddit
This is bullshit.
There's a campaign to create doubt over the application.This is bullshit.
There's a campaign to create doubt over the application.This is bullshit.
There's a campaign to create doubt over the application.
Transmetropolite@reddit
Or..... It's a shitty app made to restrict the rights of the users of the Internet under the guise (once again) of protecting children.
The fact that it's a shittily coded app on top of being a tool of restriction should come as a surprise to absolutely nobody.
Tall_Candidate_8088@reddit
It's a state of the art open sourced application to prevent surveillance and data abuses of tech companies and hostile foreign nations.
It's a tool of restriction against the people we want to restrict.
You sound like a Russian bot with that spiel.
Transmetropolite@reddit
State of the art, hackable, app.
How does age verification equate to surveillance prevention?
We want to restrict adults from what exactly?
And I feel that you sound like a bellend no matter what comes out of your mouth.
Tall_Candidate_8088@reddit
I only sound like a bellend because you're thick and don't have an clue what your talking about and spend your time repeating talking points you've acquired online like a parrot.
It's not hackable, it doesn't restrict anyone from doing anything and the same ID system is going to be used to prevent unauthorized people from accessing your data e.g they will need ID to access your data.
BendicantMias@reddit (OP)
Bruh, you have a hidden profile and barely any karma. Are you even human? Or a bot? His profile doesn't raise so many red flags, but yours does..
Tall_Candidate_8088@reddit
Not a bot man, I was initially against this ID system too because I oppose surveillance and data gathering and all the other bullshit that happens online. I don't exactly trust the powers in government all the time either. So I looked into it and did my research, I have a background in tech so I understand the area. Turns out this a decent way of sorting out all the bullshit that happens online and all the EU legislation is pretty bang on, it's actually designed to stop surveillance and tracking online.
There's no way of protecting your data or identity online unless something like this exists. To lock something up you need to also have a key, the key is going to be digital wallet that uses Zero Knowledge Proofs to authenticate people while also keeping the details of the person private. It allows you to use cryptography to only share whats necessary and hide everything else. When this tech is combined with homographic encryption you can build a system where everything is behind encryption and an individual can choose who to share data with specifically.
This is the only way to build a proper private user chooses whats happens to their data internet.
The EU isn't some scheming capitalist regime as I imagined, when I looked into it theirs so many checks and balances that everything seemed really reasonable and well though out. It's a good tech stack and the normal internet will still exist, this is for serious stuff like healthcare data and financial data.
SpontaneousFlame@reddit
No, this is BS. There’s no way to restrict anything a government or incompetent government IT department will choose to store online in a database or as flat files or whatever they decide, ripe for the plucking. This will lead to massive security breaches and governments will shrug and say it’s not their fault while instituting censorship and reducing people’s access to information.
Tall_Candidate_8088@reddit
What are the government storing ? Do you have any idea how this actually works, you seem to have made up a hypothetical scenario to call bullshit.
If this going to lead to massive security breaches than what do we have now ? Why are you imagining scenarios that don't exist ?
It's open source too. do you know how open source works ? Are you familiar with the EU cyber policy ?
SpontaneousFlame@reddit
I’m more familiar with open source, EU policy, the GDPR and a host of other stuff than you are. The difference between what we have now and what some EU governments want to have is a database of your non-government browsing habits. The minute you introduce a government ID in the middle of browsing the web then you have the government recording exactly what sites you visit and when you visited them.
Tall_Candidate_8088@reddit
I'm not trying to be mean to you but your first statement is just you stating that you're smarter than me for no reason. That's not a genuine way of conversing. If you're as familiar with scene as you claim you should have a handle on the CSA + CSA2, NIS2, CRA and DORA and you should have an understanding of what in the Digital Omnibus currently going through the EU parliament. It's a lot to comprehend and if you were familiar with those directives and legislation you probably wouldn't have made the statements you have. Do some more research if you care.
SpontaneousFlame@reddit
What does a cloud security certification add to this conversation? Do you believe that if something has CDA2 certification it can’t or won’t be cracked, the data won’t or can’t be exfiltrated, internal malfeasance is impossible or governments won’t misuse the data? How many people have been prosecuted for negligence under NIS2? Heck, how many under NIS1? Really, you claiming this is relevant is a joke. The CRA is worse - it’s legislation that should have been passed over 20 years ago and there won’t be meaningful action for another 2 years. DORA is finance only. It doesn’t apply to government, social media, major internet service providers or, in fact, the majority of the web. You mentioning it means you don’t understand it.
There is no magic bullet. There is no 100% secure, hack-proof system. There is no technology that is not susceptible tampering.
If you want to find out why it’s a bad idea read this: https://www.eff.org/deeplinks/2025/07/zero-knowledge-proofs-alone-are-not-digital-id-solution-protecting-user-privacy.
Tall_Candidate_8088@reddit
Did you read the article ? Doesn't seem to be any substantial reasons in that article for you to have stated "This will lead to massive security breaches and governments will shrug and say it’s not their fault while instituting censorship and reducing people’s access to information"
You're chasing you tail and twisting what you originally said to try suit your narrative and then you say "There is no magic bullet". So what exactly are you advocating for ? What's your solution ?
SpontaneousFlame@reddit
I’m obviously advocating for less government intrusion. How did you not work that out?
Tall_Candidate_8088@reddit
I would love less government intrusion too but we don't have any influence on foreign governments so the next best thing is the EU government taking action against that in the most sensible manner. That's what we are looking at here and this is why I'm motivated in this conversation. This is the best possible outcome for Europeans in this scenario IMO. It's slow moving but it's the right thing to do in this scenario. I have trawled though the legislation trying to find the catch and theirs been none, when you weigh up all the scenarios and consider individuals right over their data while also considering the geopolitical and economic implications of all the legislation I'm convinced that this isn't as bad as people are making it out to be and more so that theirs interference from many source trying to sew doubt regarding the strategy because it's a good one.
SpontaneousFlame@reddit
This makes no sense. The fix for foreign government interference isn’t local government interference. Adding additional ID verification mechanisms isn’t going to help to stop misuse. It’s just adding additional vectors for exploitation and privacy breaches.
I don’t think you are in anyway way technical, you’re just a proponent for this, a lobbyist or a government department or security agency worker pushing this.
I’ll make a prediction: within 12 months of this system going live the various security agencies will demand all failed ID verification be sent to them, and then will change that so that all successful ID verification are also sent because it’s just easier to send everything. Suddenly there are government databases of every website you have ID verified. This will be shared with their partners in the western world. You know, just for security.
And then it will be misused to target you if you step out of line. Expect people to be denied entrance to the US because of their browsing history…
Tall_Candidate_8088@reddit
I don't think you're very technical either and you're quite naive too. You seem to have no idea about the current landscape regarding data brokers and everything that comes along with it. Your prediction is like something a child would come up with.
SpontaneousFlame@reddit
Sure bro. Very believable.
Tall_Candidate_8088@reddit
You're funny man. A database of your non-government browsing habits .. ..
You're stating that you're more familiar with EU policy than person you've never met and a "host of other stuff".
Do you actually believe the stuff you saying ? You're just bullshitting, Dunning Kruger and all that.
SpontaneousFlame@reddit
Dude, you’ve shown you have no idea. Just your invoking of open source as somehow proof that this won’t can’t be misused shows you are clueless.
Dragoncat_3_4@reddit
Answer their questions bud. The only reason that "unauthorized people will access my data" is because every government en masse seems to have decided they want to. It wasn't a problem at all until July of last year.
Tall_Candidate_8088@reddit
See my other post man, we are going to encrypt everything and use a zero knowledge proof system for authentication. Age verification is just one part of the concept.
ult_avatar@reddit
This 'security flaw' only works if you have a rooted device, etc etc..
wiremash@reddit
As an Australian I'm actually somewhat envious of the EU's approach to this - there aren't any ZKP or open source aspects to our model. Instead we just followed the UK in outsourcing it to billionaire-backed entities seeking to grow the ID/age verification industry, with tech platforms choosing who the user must provide biometrics or ID documents through (e.g. Reddit has partnered with a Thiel-backed company). However, the impact has been blunted by heavy use of "age inferencing" (e.g. platforms are allowed to infer the user's age based on how old their account is) such that relatively few existing adult account holders have actually been asked to verify. It's something we'll encounter over time in a piecemeal way, like when creating a new account or if tech platforms start tightening compliance for existing accounts. I'll go without before providing my personal info under this system but sadly most people are likely to go along with it rather than lose access to platforms.
Main thing I'm curious about re the EU's model is whether it's platform agnostic, or if in practice it'll require an app that's only available through the Apple and Google stores.
TheHeroYouNeed247@reddit
Age inference policies discourage account hoppers like me who delete their accounts every few years.
PriorityMuted8024@reddit
It is platform agnostic
TheHeroYouNeed247@reddit
It's so funny to me that governments around the world are trying to convince people to put a bunch more sensitive info on highly networked devices that you carry everywhere. Then you have these tech bros trying to make you feel stupid saying how secure everything is, while the company the work for has its 10th data leak of the year.
Chipay@reddit
Durov is the guy angrily tweeting from Russia through a VPN about Western censorship, his opinion should be disregarded together with the uncritical talking points from politico.
Arguing that editing local files is a security issue is valid (and a frequent mistake in a ton of apps, how many apps are running a local sqlite file without any protection? Millions at least.), but that requires a compromised phone to run the age verification tool to actual manifest as a real issue. Google and Apple should really just, by default, sandbox apps into their own filesystem.
All that said, the app is open source and has high visibility because of the political implications, so it's unsurprising that vulnerabilities were quickly found, that's the entire benefit of open-source code.
Treinrukker@reddit
Lol you should check before spouting nonsense.
Neurobeak@reddit
Durov hasn't been in Russia for 5 years straight.
Conflictingview@reddit
OK, and? Is he tweeting from Tbilisi or Phuket like all the other Russians who fled conscription but still support the war in Ukraine?
BendicantMias@reddit (OP)
Bruh, it's pretty clear you know nothing about Durov.